A long time reader of ShanKrila and a blogging friend of mine, Jeanne Dininni of Writer’s Notes contacted me yesterday by email with a computer question.
I’ve been battling a “PC Antispyware 2010” computer infestation. Don’t know whether you’re familiar with it or not, but I was hoping that maybe you’d be able to give me a little advice or recommend an effective tool for removing it. Otherwise, I’m pretty sure I’ll have to uninstall/reinstall Windows to get rid of it.
That’s when it dawned on me that I faced the same situation a few months back on my desktop and I fought hard to successfully remove it from my computer. But, I forgot to blog about it here even though I wrote about the Conficker worm. It would have helped Jeanne and many others looking for such information. So, I am sharing my experience with how I removed it here.
What is PC AntiSpyware 2010?
PC AntiSpyware 2010 is a rogue antispyware program that looks like a genuine antispyware program. You could get infected with it by visiting some malicious sites. Here are a few symptoms if you were infected with this:
- You will be prompted to run this program showing fake malware infections on your computer repeatedly
- It disables Windows Defender (Microsoft’s genuine security product)
- Disables your system security programs and spyware programs
- Disables you from updating any installed anti-virus program
- Disables the ability to install any new security software
- Redirects you from going to directly to any of the security software websites in Internet Explorer
Jeanne is Internet-savvy and she had done all the right things anyone would do in situations like this. In fact, I went through the same steps before realizing how sneaky this malware really is.
Here are a few things you would do if you had a virus in your computer
- Try to update and run Windows Defender
- Try to update and run installed Anti-virus software
- Try to update and run installed AntiSpyware programs like Spybot, Adaware, etc
- Try and run a RootkitRevealer program
- Use an advanced process program like Process Explorer to see currently running programs and kill suspicious processes
- Use a startup tweak program like Autoruns to disable unwanted stuff from automatically starting up
- Use HijackThis to see what programs may be malicious
PC AntiSpyware 2010 is so sneaky that it actually disables pretty much all these programs. It even disabled my command prompt and Control Panel.
It adds itself to your computers registry and even if you are able to clean up some of it, it automatically installs itself when you reboot your computer. Plus, I even saw it morph into installed genuine programs randomly so you can’t really find it in Task Manager. One sure indication that a genuine looking program is the malware is to kill it and see it spring back to life automatically. Mine was latching on to LogMeIn program even though I didn’t have it set to automatically startup.
So how did I get rid of this malware from my desktop?
Steps to remove PC AntiSpyware 2010
Using Malwarebytes’ Anti-Malware
- If your PC is still able to download and install security software, try and download –
Malwarebytes’ Anti-Malware - Run Malwarebytes’ Anti-Malware and see if this helps remove the infection. A lot of people seems to have luck with it.
I wasn’t so lucky as my infection wouldn’t even let me install this software. If that’s your case, read on.
Using Manual Registry Edits
You could also try manual file deletion and registry edits like described here. I haven’t tried this and I followed the next section to remove mine.
Using Bootime Anti-Virus Scanner – Recommended
Since most of the usual system cleanup methods are disabled, we are left with one solid option. To use a boot-time anti-virus solution. This ensures that any installed malware is not activated while you are cleaning up your computer.
Here are the steps I followed to clean up the infection successfully
- Download and burn a boot time anti virus software like Avira to CD/DVD (look below for a list of good ones I came across). Make sure you burn it as a bootable image and not as a data disk.
- Put the CD/DVD in your computer tray
- Shutdown your computer
- Disconnect the network cable from your computer
- Reboot your computer
- Most computers automatically boot from CD/DVD before trying to boot from the hard drive. If not, while booting go into System boot menu by hitting F2 or F10 (you will see a hint on that) continously and change your boot order to boot from CD/DVD first.
- Let the boot time anti virus software to do its job.
- Reboot your computer (without connecting to the Internet) and see if you can run the usual security programs now.
- If you can, connect to the Internet and update Windows Defender and your primary anti-virus programs immediately. Run a ‘full scan’ or ‘deep scan’ option on your computer with the latest updates.
If in step 8 you still see that your computer is infected, try using another boot time virus scan program through the same steps. There seems to be many variations of these infections and not all programs remove all infections. That’s why its best to download and keep multiple programs at hand while attempting this.
Here are a few Boot-time Antivirus Scanners that you can download and try
- Ultimate boot CD for Windows (includes an anti-virus software)
- Avira AntiVir Rescue System – a linux based virus scanner that is updated daily
- Kaspersky Rescue Disk
- BitDefender Rescue CD
- F-Secure Rescue CD
- Trinity Rescue CD Kit – A combination of popular free antivirus software in one kit with online update capabilities. For the advanced user.
Re-installing Windows isn’t fun unless you had a system restore image with all your favorite applications before hand. I had success cleaning up this pesky virus from my desktop and since been virus free. I make sure once in a while that all my virus definitions, firewall software and spyware software are updating regularly.
If you have any questions, please feel free to ask in the comments.
Jeanne, thanks for asking the question that prompted me to write this post. I hope you have your computer cleaned very soon.
K,
Thanks so much for this excellent, step-by-step explanation of how to get rid of PC Antispyware 2010! This is the worst computer infestation I’ve ever seen! It’s really insidious! It seems to know just how much to disable each anti-malware program to make it ineffective. It will allow some programs that are already on your system to run, only disabling selective features, such as the resident scanner, virus vault, and the program’s ability to scan archive files — all the features that would threaten its ability to do its dastardly deeds. (This is what it has done to my Avast! anti-virus program.) This way, it craftily manages to make you think you’re doing something to fight it, but it isn’t effective.
It also allows Ad-Aware to run but disables its Scheduler, so you can’t schedule a boot-time scan. Of course that means that, if you rely on this program to fight the infestation, you’ll never get rid of it, since it regenerates itself during startup. Other programs already on your system are totally disabled, such as Windows Defender (which won’t even initialize). As far as downloading new anti-malware programs or getting an online scan, you can forget that once you have this infection. If it allows you to download these programs (or the launchers required for online scans) at all, it prevents you from installing, opening, or running them. It’s definitely a tough one to get rid of!
Still have to get the bootable disk made on someone else’s computer (as you suggested because my system has so many infected files that could infect/disable the boot-time virus scanner). Hope to be able to do this soon! Can’t wait to be rid of this nasty bug that has infiltrated my entire PC!
Thanks again for your help and for sharing this valuable information with all your readers!
Jeanne
Great post!
Sometimes when downloading security software is blocked, it’s possible to download from alternative sources. For instance, check shareware/download sites. I searched Google for Malwarebytes and sites like CNET, MajorGeeks and FileHippo were near the top with malwarebytes available to download from their servers instead. That may bypass a download block…
This method worked for me the other day when I had to fix a friend’s computer, so it’s worth a try before giving up on that route.
K,
A lot has happened since I wrote my first comment on this post. After much online research, exploration/investigation of my computer system, and numerous “tweaks” here, there, and everywhere, I’ve managed to eradicate PC Antispyware 2010 without using the boot-time virus scanner and without reinstalling Windows!
Though yesterday was the turning point, I believe that some of the changes, reconfigurations, and malicious file deletions I’d made the day before helped bring it about. Unfortunately, I can’t remember everything I did, but I do know that when I booted up yesterday morning, though the PC Antispyware 2010 icon was still on my desktop, it looked different. It no longer had the fancy looking shield reproduced in your screenshot, which had made it appear legitimate, but instead had the bare-bones square white window icon with the blue bar at the top, which I believe indicates an application/utility. I noticed this and wondered about it. Then I went to work seeing what else I could try to rescue my system, while I waited to get someone to create the boot-time disk for me.
I decided to go back into Add or Remove Programs and try to restore my Avast! and Windows Defender programs — even though the day before, I’d gone in and clicked “Repair” and it hadn’t worked. This time I decided to try clicking “Change,” and both programs immediately updated and corrected themselves! Avast! regained the capabilities that had been disabled (resident scanner, virus vault, and ability to scan archive files), and Windows Defender (which had been totally incapacitated) came back to life!
Of course, I immediately used both programs to do two full scans of my system. Avast! found 27 infected files, including Trojans, rootkits, and Braviax — and it found multiple files that had been infected with the same Trojans! Windows Defender found two Trojan Downloaders and one Trojan. But, the amazing part is yet to come!
When I went into my Recycle Bin (not sure whether it was before or after the scans, though I know it was after I’d “changed” the two anti-malware programs), I discovered the Beep.sys file there (which contained a rootkit)! Of course, Beep.sys is the file that causes our computer to beep on startup. But, it’s also the file that I’d read at CM2 Consulting is generally used by hackers to execute and orchestrate an insidious Braviax infection (though this post was written a while back and wasn’t actually talking about a PC Antispyware 2010 infestation). I’d sort of discounted (or, to be more accurate, temporarily tabled it), since it was an older post, since I reasoned that the hackers had likely changed their tactics by now, and since I wanted to try other things before tackling the scary procedure they had described (which had to be executed in Recovery Console Mode and could cause more problems than it corrected if done by inexperienced users).
Well, it turned out that this blogger had been right all along! Here’s a link to his post: Removal of braviaxcru629 malware.
Anyway, once Avast! was working again, I was able to schedule a boot-time scan and so restarted my computer on the spot. After two hours of scanning, Avast! had found another rootkit in the System 32 folder, along with a number of corrupted files.
I later downloaded Malwarebytes’ Anti-Malware and ran a scan, and it found 16 infected files, some of which had executed commands such as “disable security system notify” and other such nasty orders.
This has really been a learning experience, but I seem to be free of the PC Antispyware 2010 infection — after nearly five days and one entire night of working on it! I do plan, however, to continue downloading as many anti-malware programs as I can find and running them to make sure I catch everything malicious that’s potentially hiding on my PC (since every program catches things the others don’t). Also plan to create the boot-time disk you’ve recommended in case this problem should recur.
Still have a few issues I need to work out — after I figure them out — to bring everything back to normal. (For example, still can’t open Spybot S&D, or even locate it in Add or Remove Programs so I can uninstall/reinstall it, and I still see no sign of my Windows Security Center in my Control Panel, though I know by checking my Services panel that it’s active and running.) But at least I’m free of PC Antispyware 2010! And good riddance to it!
Thanks again, K, for all your help, because you’re the one who made me realize that a boot-time scan was what it would take to stop this infection from continually regenerating itself, since it does that on startup. Even though I was able to use my resident anti-virus program to do it, rather than the rescue disk you recommended, it was only because your expertise led me in the right direction that I knew what to do.
Really appreciate your help!
Jeanne
I meant the System 32 folder (in par. 7), not the System 23 folder! Sorry!
Jeanne,
First of, thank you so much for coming back with your findings. I am so glad to hear that you were able to get rid of this insidious infection.
I was glad to be of help but I think you have done all the right things in this situation to get rid of this infection.
You rock!
No worries, I corrected it for you. 🙂
K,
Thanks for saying such nice things, but I think I was just more stubborn than the malware was! I was so determined to get rid of it that I would have done whatever it took — so, it didn’t have a chance!
Thanks, too, for correcting my System 32 typo! After writing everything I’d written in that comment, it was a bit embarrassing to go back and find that error! Correcting it right in the comment is so much better than explaining it after the fact, because it clears up any confusion a reader might have had on initially reading it.
Thanks again for being such a great blogging friend — one who’s always so willing to help a fellow blogger/reader when needed!
Martin,
Thank you! Thanks goes to Jeanne for prompting me to write this tip. You bring up a very good point for downloading security software if the DNS appear to be hijacked for most sites.
This infection was thoughtful enough to prevent installing/updating any of those popular software even after a download but this tip could help in other instances.
Jeanne,
You are most welcome. 🙂
K,
Just discovered that both your Autoruns link and your Hijack This link take us to Hijack This. Figured you’d want to correct that. (Tried to use your link to reinstall Autoruns, and that’s when I discovered it.)
Can you help me? My computer has bin infected. This helped, but I have a question. The program blocked my downloads so I cant download any of the softwear you gave. So I cant complete the steps D: Can you help me?
Ryan, in that case you have to go with the option I specified above where you need to use a ‘boot time anti virus disk’. Try to burn that from a friends computer and run it in your infected computer. Good luck!
Ryan,
Here’s something else you can try in addition to getting the boot-time anti-virus disk: Go into your Control Panel and double-click “Add or Remove Programs.” Then, go to each or your anti-virus and anti-spyware programs and click “Change/Remove.” After that, click “Change.” (You can try clicking “Repair” first if you have that option, but that didn’t work for me.) When I clicked “Change,” my programs updated and sprang back to life. (Hopefully this will work for you. I’m not sure if it worked because of other system changes I’d made beforehand or not, but it’s certainly worth a try.) If it works, you can then do a couple of full scans of your PC and schedule a boot-time scan with your anti-virus program. I’d still recommend getting the boot-time virus scanner disk, though, just in case you need it. If it doesn’t work, you definitely will need the boot-time anti-virus disk.
Next thing I’d do is check to make sure your Windows Firewall is turned on. You’ll find that in your Control Panel, too. You may notice that your Windows Security Center icon is missing from your Control Panel, which prevents you from accessing your Security Center. I’m still working on this one. It’s been a week since my active PC Antispyware 2010 infection has been disabled, and I still haven’t been able to access my Security Center.
Another thing you’ll want to do is get PC Antispyware 2010 out of your Startup list (the list of files that automatically load at startup), which involves deleting a registry key. Until you do that, though, you’ll want to go into your System Configuration panel and uncheck PC Antispyware 2010, which you’ll find at the end of your list of Startup files in the Startup tab. This will prevent it from loading during startup.
To access the System Configuration panel, click “Run” in your Start menu, type in “msconfig,” and click “OK.” (Be very careful what you do in the System Configuration panel, though, because this can seriously affect the operation of your computer.) When you’re inside the Startup tab, uncheck “PC Antispyware 2010.” Once you’ve done this, you’ll notice, if you go into the General tab, that your sytem’s Startup mode changes from Normal to Selective. It isn’t intended to remain in Selective Startup mode indefinitely, so you’ll want to remove the registry key that’s causing the problem as soon as possible.
From what I understand, there are programs that will do that for you, though I personally did it manually, with my computer in Safe mode, after researching online to learn where to go in the registry to do it. (Again, it’s important to be very careful when making any changes to the Windows Registry, so as not to adversely affect the operation of your computer.) I’ve kept screenshots of the entire process of manually removing this registry key (actually, this registry sub-key). Perhaps K would want to include these in another post on this topic, so you can see the process in action.
Once you understand the process of finding the various branches of the Windows Registry — which works much like an outline, with headings (keys), sub-headings (sub-keys), and details (values) — the following registry location won’t be difficult for you to find: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg. This is where you’ll find the sub-key “PC Antispyware 2010,” which you need to delete. When you get there, you’ll notice various values (in the right hand panel, all of which are related to PC Antispyware 2010 and all of which will be automatically deleted when you select and delete the sub-key “PC Antispyware 2010” from the registry. Doing that will entirely remove PC Antispyware 2010 from your computer’s Startup list, causing it to automatically return to Normal Startup mode. (This won’t remove every malicious file related to the infection from other parts of your system, though. It will only prevent the main program from loading on startup.)
If you’re worried about trying to manually remove items from your Windows Registry, research Windows Registry (or Windows MSConfig) cleaners online and download one from a trusted source. (I hesitate to recommend one, since I’ve never used them and couldn’t say which ones would be good.)
PC Antispyware 2010 is a very insidious malware infection that isn’t easy to fully purge your system of. So, download all the anti-malware tools you can get your hands on (once you’ve regained your ability to do that by reactivating your current anti-virus and anti-spyware programs), because every program will find malicious files that the others miss — and you’d be surprised how many different ones this nasty program places on your system! Stick with it, and don’t give up until you’ve beat it!
Good luck!
Jeanne
Ryan,
Forgot to mention that, if you decide to delete the PC Antispyware 2010 sub-key manually, you can access the Windows Registry by clicking “Run” in your Start menu, typing in “regedit,” and clicking “OK.” You’d then navigate through the various branches of the registry, using your mouse (or mouse and arrow keys), until you locate the “PC Antispyware 2010” sub-key. Clicking to select it will reveal all its registry values in the right-hand panel. You can then either right-click the sub-key (in the left-hand panel) and choose “delete” or click “Edit” in the registry menu at the top of your screen while you have the sub-key highlighted and choose “delete.”
Remember to do this with your computer in Safe mode. If you need help getting into Safe mode, either K or I can explain how to do it.
Jeanne
K,
Hope you don’t mind my input and suggestions to Ryan on his problem. I can really empathize with his situation (since I’ve just gone through it), and I thought that maybe, through my own experience, I’d be able to provide a few helpful tips. Hope I haven’t overstepped my bounds!
Jeanne
Jeanne, absolutely not! You are offering true and personal insight into what you just went through. Your comments are adding more and more value to this issue and I really appreciate it. 🙂 Have at it!
Thanks, K! Certainly do appreciate your openness to your readers’ input!
man this malware is killing me. thanks so much for the post!
Thank you for your instruction, Jeanne. I am having the same troubles like you and tring to solove it manually.
Among your great tips, there is one thing that does not work for me.
After the infection, “Add and Remove” in my Control Panel does not work. Clicking it does not activate anything. Do you have any thoughts how to solve this problem?
Also, if you could share your experience about how to restore Windows Security Center after removing the virus, I would appreciate it a lot.
Again thank you very much for your time and effort.
Yosh
Why FBI does not investigate PC-Antispyware? It is really bad.
Yosh,
You’re very welcome! Don’t mind at all doing whatever I can to help people get rid of this really insidious malware. Unfortunately, I haven’t yet figured out how to get my Windows Security Center back, though I may be homing in on it. I’ve discovered some suspicious-looking registry values that are related to the Security Center, but I’m thinking that perhaps I should check with Microsoft before I delete them, since I’m not certain that all the values in question are actually malicious.
(Perhaps K would be interested in helping me out here by comparing my screen shots of these values to his own values in these specific parts of the registry to see whether any of them match up [in which case they’d probably be OK].) Some seem pretty obviously malicious, though, such as “AntiVirusDisableNotify,” “AntiVirusOverride,” “FirewallDisableNotify,” “FirewallOverride,” and “UpdatesDisableNotify.” Others I’m not so sure of, such as “FirstRunDisabled.” I’ve also found the “DisableMonitoring” registry value in one branch of the registry under the Monitoring sub-key of the Security Center registry key. This one looks suspicious to me, as well.
I could simply try saving these values before deleting them, so I’d be able to restore them if it turned out that they shouldn’t have been deleted; but I’m hesitant to do that, since I’m not sure what problems it might cause. I do, however, suspect that these values could just hold the key (no pun intended) to restoring my Security Center and will keep you apprised when I learn more.
So sorry to hear that the “Add or Remove Programs” link isn’t working for you. Can you tell me what happens when you double-click that link? Do you get a list of the programs you currently have installed on your computer, or does the link simply do nothing? If you do get the list of currently installed programs, are you able to locate and highlight your anti-virus and/or anti-spyware program(s)? If you can, what options are offered to you at that point?
This malware is a really tough one to beat; and even after the main infection is gone, you’ll find many lingering issues that will need to be overcome. But, don’t give up! Stick with it! We can work together to figure out how to overcome this malware menace!
I’m really thinking I need to contact Microsoft, since the company does want to know about anything that compromises the security of its applications and I’m really beginning to believe, more and more, that PC AntiSpyware 2010 qualifies!
Jeanne
Yosh,
Here’s something else to try to get your anti-malware programs up and running again (hopefully it will work):
Go into your Control Panel and double-click “Administrative Tools.” Then double click “Services Shortcut.” This will take you to a list of the services currently available on your computer, giving you information about each, including whether or not it is running and whether it is set to Automatic or Manual.
Locate your anti-virus and anti-spyware program(s) on this list and check to see whether their status is “Started,” “Disabled,” or whether there is simply a blank space in the “Status” column, which indicates that the program is not currently running. If they are not running–and especially if their status is “Disabled” (which is highly likely in this situation)–right-click on the name of the program, click “Properties,” and, in the window that opens, set them (in the “General” tab) to “Startup Type: Automatic.” Then click “Apply.” To start the programs, click “Start” and “OK.” Their “Service status” should now change to “Started.” Click “Cancel” to close the window and return to the Services list. Do this for each program, checking also, to make sure that your Security Center service is running (even if you can’t access it yet).
Also, make sure that Alerter and Messenger are running, and if they aren’t, set them to “Automatic” and start them. (Messenger has nothing to do with instant messaging, but instead, sends Alerter messages about your Windows Operating System.)
You’ll also want to check your Event Viewer (which is also found in Administrative Tools in your Control Panel) to see what important notifications you may have been missing. Event Viewer will give you a list of all the information items, error messages, and warnings you undoubtedly haven’t been getting because PC AntiSpyware 2010 has disabled your notifications.
(Think I will go in and delete the various “DisableNotify” values from my Windows Registry, since, as far as I can see, there’s no way these items could be good. There’s such a thing as being overly cautious, I think, which I believe I’d be doing if I put this off any longer. Will need to restart my computer in Safe mode, though, which does get a bit tiresome.)
Let me know how things go.
Good luck!
Jeanne
Yosh (and anyone else who’s been reading my above comments):
On second thought, I don’t think I’ll be deleting the above registry values after all–at least not at this point–since I really feel that I’m out of my league where the Windows Registry is concerned. I don’t have sufficient expertise to understand the data items that are associated with these registry values.
I’m looking at one of my Malwarebytes’ Anti-Malware program’s logs and notice that it says it has already taken care of a few of the registry items in question, and it appears that it may have done this by changing the info in the Data column (and thereby effectively deactivating the command contained in the registry value), which I believe has likely made it unnecessary to delete the entire value (though perhaps it wouldn’t hurt to delete it).
While I’m not absolutely certain this is what has occurred, it seems reasonable. Yet, I will be giving this a little more thought and likely doing more research before making any more changes to my Windows Registry. (It always pays to be cautious where your Windows Registry is concerned!)
I may ultimately go with my first instinct and send screenshots of these registry items to Microsoft and let their experts decipher them. I’m still deciding on this. At any rate, I have a strong feeling they’d be very interested in knowing about PC Antispyware 2010’s hijacking of their Security Center.
Just got this pesky thing, but it didn’t actually fully install but it’s still locking me out of everything…internet…gone….Won’t let me install malwarebytes, but I’m going to try using the bootable disc for Avira and will report back. I never actually ran a program but I think I downloaded something and extracted a file that automatically ran somehow….was supposed to be a e-book but it was an exe so i deleted it. I never have had a problem on my PC but this was my mom’s work PC. So I’ve been up all night because I have to fix it.
Thank you guys for all the advice. The Malwarebytes’ Anti-Malware worked! I am not computer savvy but am soo thankful it is gone 🙂
thanks again
Bob,
Sorry to hear that this malware is preventing you from accessing the Internet! This isn’t a problem that PC Antispyware 2010 caused me–though it did cause plenty of other problems! Throughout the entire ordeal, I’ve always had access to the Internet, though I often felt the malware was attempting to manipulate much of my Web surfing (which may or may not have been true, because I was using what was a new and unfamiliar Web browser to me at the time: Google Chrome).
Is PC Antispyware 2010 the specific malware program that has infiltrated your mom’s work PC? You’ll know by the windows that will continually pop up on her desktop and even on the Web pages she visits. They will look like the screenshot K has put into this blog post. You’ll also see a window that claims to be the Windows Security Center, giving you erroneous information about the Windows Firewall and the PC’s resident anti-virus program. If you don’t mind my asking, what browser does your mom use on her work PC?
Do you know whether your mom has recently allowed a Java update while she was surfing the Net? I’ve read that this is the way PC Antispyware 2010 is inadvertently downloaded (because, though the update appears legitimate, it really isn’t). I also know that I recently allowed a Java update while I was on the Internet, so this may be the way I contracted this malware.
Though I unfortunately don’t recall what day I allowed the “Java update,” I do know that I contracted the malware on August 8th. That also apparently was the day I downloaded the Google Chrome browser which I’m currently using. So, I’m keeping all these things in mind as I attempt to figure out how the malicious software was downloaded.
(I’m also wondering whether my old Yahoo! browser might not have had something to do with it, since I continued using it for quite a while after Yahoo! had warned me that it would no longer be providing updates and advised me to uninstall it and begin using Internet Explorer instead. Don’t believe I used it on August 8th, though I’m not absolutely certain. Since I might have used Yahoo! browser, the possibility of a security vulnerability does loom large when one considers the fact that there had been no recent updates.)
At any rate, I learned the other day from an expert on a malware forum, at BleepingComputer.com (wish I’d saved the link, because now I can’t locate the thread), that outdated Java programs definitely do present a security vulnerability which can lead to downloading malware, so you should check to make sure you have the most recent Java Runtime Environment update (currently JRE 6, update 16), and if you don’t, you should download it directly from the Java website. This malware expert stated that you should check the box that says “Windows Offline Installation,” then click the link below it and save the file to your desktop. You should then proceed to remove all older versions/updates of JRE or J2SE currently on your PC (after closing any programs you have running–especially your Web browser). Do this in “Add or Remove Programs” in your Control Panel. When all old Java versions/updates have been removed, restart your computer and then double-click the downloaded Java update and follow the installation instructions.
If your mom’s problem is PC Antispyware 2010, it won’t be quick and easy to remove all traces of it. But, try using any anti-virus and/or anti-spyware programs that may still be usable or that you can manage to start up again or successfully download. (See my above comments for some hints on starting up anti-malware programs that have been disabled by PC Antispyware 2010.) Run full scans with these programs, and set up a boot-time scan as well. If unable to do this, consider K’s advice of using a boot-time anti-virus disk, since it’s critical to get rid of any malicious files that load or regenerate themselves during startup.
Hope all goes well for you!
Jeanne
Thank you very much for this posting.
I had the PC Antispyware 2010 virus infect my computer and NOTHING could remove it.
I downloaded Malwarebytes and ran the program. Virus removed.
I’ll admit, I was leery to do it as I am not very tech savvy and afraid I might get another virus from the Malwarebytes instead. NO SUCH PROBLEM.
Once again THANK YOU and also to the people at Malwarebytes. Without this free download, I was looking at spending at least $125 at the local computer shop for the work to remove PC Antispyware 2010.
Can’t the government sue the creators of the PC Antispyware virus?
I would love to be a member of a class action suit against these B@@@@rds.
Yep, it was not exactly the same but I think a varient of pc antispyware 2010. I did get a message telling me about it but when I saw that I just found the service and shut it down. Then when I rebooted everything was just messed up…ended up needed work tech to give us a new PC for her job and wiping the old one.
Bob,
There seem to be quite a few variations of PC Antispyware 2010 out there, which apparently cause different issues for different PCs.
One good thing about having it be a work PC that was affected in your mom’s case was that you were able to turn the problem — and the PC — over to the work tech and get another! When it’s one’s own PC, one has little choice but to find a way to overcome the problem, either on one’s own or by paying someone else to do the job. Glad everything worked out for your mom! Thanks for reporting back and letting us know the outcome!
Jeanne
Yosh, K, and Everyone,
I’ve discovered, through trial-and-error, as well as online research, that the “AntiVirusDisableNotify,” “FirewallDisableNotify,” and “UpdatesDisableNotify” registry values are apparently added to the registry by one of our anti-malware programs (not sure which one) to avoid duplicate notifications, since the anti-malware program itself takes over this task.
That explains why, after I had tried two separate times to delete these three values from the “Local Machine” branch of the Windows Registry, I discovered, on checking after reboot, that all three were back again. I did, however, apparently manage to remove all three of these values from the “Current User” registry branch, since I no longer see any sign of them there. I’d guess that this is because they really aren’t needed in relation to the current user if they’ve already been implemented for the local machine the current user is using.
Still don’t know the significance of the “AntiVirusOverride” and “FirewallOverride” values, though, as I not only haven’t attempted to delete these but also have found no helpful info about them online.
Just wanted to pass along that info to anyone who might be interested, since I’d left the issue hanging last time. It’s good to know that these devious-sounding registry values can indeed be used legitimately and that we needn’t worry about them! After all, PC Antispyware 2010 already gives us enough to worry about!
Hi
I seem to have got PC Antispyware 2010 somehow aswell, but there is nothing that I can seem to do about it. Everytime i try to scan using McAfee security centre an error occurs, and Malwarebytes’ Anti-Malware won’t even start up
I even tried using the rescue disks ( I used Ultimate Boot CD, Avira Antivir and Kaspersky) and although Ultimate Boot CD and Kaspersky found 2 viruses, when I reboot my computer PC Antispyware 2010 is still there!
I am losing hope now, and i am afraid that I might have to take my computer to a shop, and have to pay a large amount of money to get rid of this malware
Is there anything else i could do to get rid of it once and for all?
Hello, I got the virus a couple weeks ago and it’s been giving me hell. I’m not computer-savvy, so could someone please explain to me what to do, in a more simple way?
I tried to use the Run command to delete registries, but it says that I’m blocked by administrator from doing that. I don’t know how so, as I am the administrator. Also, I don’t think I’m able to do the boot-disk thing, as I have no clue which is my network cable. I’m a minor, and my dad would be upset if I told him I’d been infected for a couple weeks now.
So, in short, any advice is much appreciated. This virus is one of the worst I’ve seen (and I’ve seen a few!) so I certainly can’t wait for it to begin.
Oh, one feature I didn’t see mentioned (or maybe just missed) is that it kills all Anti-Spyware programs. Generally during the “Preparing for Scan” phases, or sometimes later. Trying to run Avira even causes my computer to crash. So please, someone, help me end my misery.
Matthew,
For a few things you can try that might help get your anti-malware programs back up and running, first read the beginning of my first comment to Ryan, above. If that doesn’t work, try the technique mentioned near the beginning of my first comment to Yosh. In those comments, I’ve explained the two actions that were helpful to me in getting my anti-malware programs working again. If you try both and neither works, try going back and doing the first one again. Hopefully, that will help!
You’ll also need to uncheck PC Antispyware 2010 in your Startup list to prevent it from loading every time you boot up. I explain how to do this in my first comment to Yosh. As I also mention in that comment, you’ll eventually want to delete the PC Antispyware 2010 registry key that’s causing it to load during bootup, but until you can do that, unchecking the program in your Startup list will prevent it from loading.
Keep us posted on your progress.
Good luck!
Jeanne
JoshMac,
Try following the advice I just gave Matthew in the previous comment. As I’ve told Matthew, use the techniques I’ve described in my comments to Ryan and Yosh, and hopefully you’ll be able to get your anti-malware programs up and running and get PC Antispyware 2010 out of your Startup menu.
Once that’s been accomplished, your anti-malware programs will do much of the rest of what needs to be done for you.
Good luck and keep us posted on how things go!
Jeanne
P.S. If you have any questions, feel free to ask.
Yosh, K, and everyone who’s interested in finding your Windows Security Center:
I’ve finally located my Security Center and restored my access to it.
Here’s where I found it: C:/WINDOWS/$NtServicePackUninstall$ (Author note: substitute / with a backslash as the comment form has trouble displaying it)
To access the above folder, click “Start,” then “My Computer.” Then copy and paste the above information (without the period at the end) in the address bar and click “Go.”
This will take you to a hidden folder, which you won’t be able to locate if you simply double-click “Local Disc (C:)” and then “Windows” in “My Computer,” because the folder doesn’t show up there. This is why you’ll have to copy and paste the above information into the address bar, which will take you directly there.
This hidden folder contains a very large number of files, all the names of which appear in blue type (rather than the usual black type)–an apparent indication that they are hidden and possibly also that they are template files, which I realized later. I believe this folder contains not only the uninstall files for various updates, etc., but also extra copies of our computer’s critical system files–though I haven’t done an actual survey of which specific files are included here.
At any rate, the main point is that this folder is where I found my Windows Security Center file. This file is called “wscui,” which stands for “Windows Security Center User Interface.” This file uses a very plain-looking icon which looks like a sheet of paper with the top right corner folded down and has an image in the center. You may also notice another Security Center file here, which you’ll recognize immediately by the familiar four-color Windows Security Center shield. You’ll note that it also says “Shortcut.” This isn’t the actual Security Center file, but a shortcut to the Security Center. For now, you’ll want to concentrate on the “wscui” file, which is a Control Panel Extension that will allow you to access your Security Center from anywhere you place it.
I started out by moving “wscui” to my desktop, and it worked fine there, though it didn’t look as nice as the shield icon of the shortcut did. But, at least I was able to access my Security Center at long last! The simplest way for you to access your Security Center will be to place the “wscui” file on your desktop–though I would recommend that you copy and paste it, rather than moving it, as I originally did. This will leave a copy of it in the Uninstall folder, as well. This is the first and most important step to restoring access to your Security Center. Replacing the icon in your Control Panel will be a separate process. At least you’ll have access to the Security Center in the meantime, though.
I’ll return later to explain the remainder of the process I followed for restoring the Security Center icon to my Control Panel and replacing the “wscui” file in my System 32 folder. Everything that happened through my experimentation isn’t even completely clear to me, though my Security Center icon is now back in my Control Panel and the “wscui” file has been safely restored to my System 32 folder. Yet, I’m still puzzling out exactly what happened and why.
So, stay tuned. Try the above and please report back to us on your success in accessing your Windows Security Center so we can share your excitement!
Jeanne
Google Vundo virus and there’s a new tool that helps get rid of it.
The best thing to simply do against any virus is get a copy of Acronis True Image and make a backup 1:1 image of your HD before you get any trojans or viruses. This way, boom you can restore your pc to a healthy status. I have never had a real problem on my PC but it was my mom’s work PC as I had mentioned b4 that got infected. They simply gave her a new computer and cleaned the old one, but it was really, really infested. PC antispyware 2010 is what I believe a Vundo varient. Nasty little bugger too….the big trouble is that it leaves registry traces that malwarebytes does fix I believe. You need to re-install malware bytes but rename the executable to something else…I’ve read that it may help.
K,
Just noticed that there’s an error in my comment addressed to “Yosh, K, and everyone who’s interested in finding your Windows Security Center.” My apologies!
The text I said to copy and paste into the address bar in “My Computer” to locate your Windows Security Center should contain backlashes after “C:” and after “Windows,” but the Comment software apparently didn’t reproduce them.
The following is what you’ll want to use in place of the version containing no backslashes (only replace “[backslash]” with an actual backslash) before copying and pasting:
C:[backslash]Windows[backslash]$NtServicePackUninstall$
Comment boxes may simply not reproduce backslashes. Come to think of it, I’ve seen this phenomenon before.
If it isn’t too much trouble, K, would you mind making the correction right inside my earlier comment to avoid confusion? (PC Antispyware 2010 is causing people enough confusion without the solutions providing even more confusion!)
Thanks–and again, my apologies to all!
Jeanne
Jeanne,
I have to appreciate your continuous monitoring of this thread and providing assistance to those needing help. I have been so time constrained to reply here but I am so glad you have it upon yourself to help! You rock. The comment form does have problem displaying backslash so I have added forward slash with a note to replace it with a backslash)
Great idea, K!
Thanks for taking care of that! I hate to make it harder for people who are already struggling with PC Antispyware 2010 to correct their issues by having the fix be as confusing as the problem! Your idea for clarifying the file path was a great one!
Don’t mind at all helping out, since I know how frustrating this infection can be! I’m just hoping that everyone else will find their Windows Security Center in the same place I found mine. Hopefully this malicious program always puts it in the same folder. (Likely it does, because it’s such a convenient place to stash it, since it’s a hidden folder.)
Alright, here’s the newest episode in my saga of woe. I’m rid of the program itself, PC Antispyware 2010 no longer shows up in my list of programs or anything. However, it’s lackeys do. I know there’s a rootkit out there somewhere, but the problem is, I can’t find it. Malwarebytes, which I used to swear by, can’t even scan for more than 20 seconds before it closes out, and then the .exe for it becomes inoperable. Occasionally, by reinstalling it, I can get it to scan for a few seconds, but to no avail. I located my Windows Security Center; and it was disabled. I got Windows Defender to open, but it too closed out, saying a program had forced it too. Something in the System32 folder I’m pretty sure, because it was busy scanning that when it happens. I downloaded Avast, and it was kind enough to go ahead and do a boot-time scan or whatever it’s called. 10 hours later, it found over 25 infections, but the rootkit’s still there. Any more advice? I can’t afford to take my computer to a shop, and really really don’t wanna have to reformat my harddrive. I’ve been receiving help on BleepingComputer, but no program they recommend works, including HijackThis and ComboFix. Thanks for all your help here.
One thing I forgot to mention: the virus (or what’s left of it) seem to be doing three things. One, preventing antivirus software from successfully running, which is what I’m most worried about. Two, it frequently tells me that “Firefox has been disconnected from the server” when attempting to navigate to other sites, which is worked around easily enough. Three, it opens invisible Internet Explorer windows that don’t do too much, other than to be extremely annoying. Is there a way to prevent access to them? I tried to by using the “Set Program Access” option in the Start menu, but it didn’t do much. Thanks again!
JoshMac,
Have you tried restarting your anti-virus and anti-spyware programs by going into “Add or Remove Programs” and clicking “Change” and going into your list of services, clicking “Properties,” setting them to Automatic, and clicking “Start” (as I’ve described in my comments to Ryan and Yosh)? It’s critically important to somehow get your anti-malware programs running again, because they will find and remove the malicious files that are causing all the harm.
Another thing you’ll want to do is go to “Search” in your Start menu and manually search for every file that contains either “Braviax” (the virus that PC Antispyware 2010 puts on your PC) or “cru629” (another name for Braviax). Delete every file that you can find that contains either of these. (If you go into “My Computer” and access your System 32 folder (in Drive C and in the Windows folder), you may see a file there called “Braviax.exe.” That’s the executable program that helps keep PC Antispyware 2010 active on your system. You’ll definitely want to delete this one, along with all the other files containing the virus; though there are Trojans and rootkits that are also part of the package with this malware. Programs such as Rootkit Revealer or Trend Micro’s RootkitBuster can help you locate rootkits so you can remove any that contain either the virus or any Trojans you may recognize the names of. My only problem with Rootkit Revealer is that the last time I ran it, it found almost 41,000 files, and I had no idea where to even begin assessing the readout. RootkitBuster didn’t find anywhere near that many.)
If you find out during your search that any registry keys contain Braviax/cru629 (which they likely will), you’ll want to reboot your computer and put it into Safe Mode before deleting them. (You might even want to do that before searching for and deleting the files containing Braviax and cru629, though I didn’t.) To speed up your search, you might want to limit the dates, based on when you got the infection.
You’d also do well to delete your Beep.sys file and will most likely find that it’s been infiltrated by Braviax anyway. (This is apparently one of the favorite places to hide Braviax.) Your system doesn’t need the Beep.sys file to run; it only makes your computer beep on startup. You may find that you have two Beep.sys files. One will be found in System 32 Drivers, as I recall; and one may simply be found in your System 32 folder. (Not absolutely sure about the second one because I didn’t find it myself; Avast! found it and put it into my Recycle Bin when I managed to start it up again.)
If you want to search for your Beep file, use the same process mentioned in this comment, but just search for “Beep” without the “.sys” extension. Searching without using the file extension (with Beep or any of the other terms mentioned above [i.e., Braviax and cru629] will allow you to find all files that contain it, no matter what file extension they use.)
Try these ideas for now, and let us know how it goes; then we’ll take it from there. If I have any other ideas in the meantime, I’ll stop back and let you know.
Good luck!
Hey Josh, that’s the point I was at….the main thing was not installed…the virus but it was still doing other bad things and I had given up.
Try changing malwarebytes name that launches the program…..I did not try this, but leanred about it after I had given up.
google “vundo fix” and you may find some other various programs. I see bleepingcomputer does have a vundo fix as well….this thing is a bad boy so keep trying or format. I had to give up because it was not even my computer….and like I said, always make a backup image so you can avoid MAJOR problems like this. Acronis saved me many times.
Bob and JoshMac,
I didn’t try changing the name of any of my anti-malware programs, either, though I did try changing the name of Braviax.exe, which didn’t do any good. Hopefully it will help in this instance, though. It’s so important to get those anti-malware programs up and running and/or to download others that can help get rid of the amazing number of infected files PC Antispyware 2010 puts on your computer.
I’d keep trying to download every anti-malware program and tool I can think of, because you never know when one of the downloads you try will work.
Vundo was not one of the Trojans that was involved in my PC Antispyware 2010 infection, as far as I can tell. Win32:Fraudo, JS:Pdfka-MQ, Win32:Vuku, Win32:Spyware-gen, and Win32:Trojan-gen were involved in my PC’s infection, and all were found by Avast! Avast! also found Win32:MoPack, which it classified as “[Cryp],” as opposed to “[Trj],” and also located the rootkits Win32:FakeAV-NO and Win32:Rootkit-gen. (Perhaps some were unrelated to this particular infection, but all were found at the same time my PC was infected with it.)
This infection is very bad, and the number of files affected is quite large. That’s why anti-malware programs are so important in fighting it. So, keep trying everything you can think of to get yours working again and/or to get new ones effectively downloaded.
Hopefully your name-change idea will work, Bob!
JoshMac,
Don’t forget to make sure that PC Antispyware 2010 is unchecked in your Startup list, so it doesn’t load every time you boot up. (You’ve said it’s no longer in your list of programs. Were you referring to your Startup list?)
It might also make a difference if you go into your list of Services and enable the services that have been disabled. I found several disabled services after my malware attack, and I believe most of these were probably intentionally disabled by the malware in order to prevent my PC from working properly. As I recall, I enabled all these (except for one–explained below) before I managed to get my anti-malware programs started again. You may need to do this before you can get yours running, too. In my second comment to Yosh, quite a bit earlier in the comments on this post, I explain how to do that.
I’d go into the Help screen, once you get there (via my instructions to Yosh), type the word “Services” into the search box and click “List Topics.” Then choose “Default settings for services” in the list of topics and click “Display.” This will show you the default setting for each service. Use this as a guide to properly enable each of your disabled services. Only one service on the entire list is supposed to be disabled, according to this list of default settings: Human Interface Device Access. All the others should be set to either Automatic or Manual, as indicated on this list.
Hopefully, enabling all your services will not only help you get your anti-malware programs running but will also help you with your server disconnection problems, as well, since some of the disabled services appear to be network-related. (Some services are also dependent on other services to function properly. You can see these dependencies when you open the Properties window for each Service.)
Don’t really know about the third issue you’ve brought up. I, too, had wondered if it might be possible to deny access but couldn’t figure out how to do it or if it could even be done. Figured it might be too late at this stage of the game, since the malware has already entrenched itself in the system–but would love to find out I’m wrong about that! If anyone knows how to do it, we’d certainly appreciate hearing about it!
I know it’s called Fraudo or whatever, but I’ve heard the PC antispyware is a Vundo varient. I did not know this beforehand. If you look up Vundo in Wiki though, it’s explained that a similar program just like PC antispyware is used. It also does the exact same things as this does. I had managed to del Braviax.ee as well…but there was a lot of redistry entries that I just couldn’t track down. Eventually I just made so many mistakes that I had no internet even with all my services put back the way they were…was really nasty.
I checked my services, and they seem…. Decent at best. Bitdefender’s been inactive from the start, and Avira works, to a certain extent. However, it didn’t show up in the list of services? And I couldn’t reactivate Bitdefender. None of the other anti-malware programs I have showed up except the recently installed Avast, and that was activated.
When I said that PC Antispyware 2010 is gone from my list of programs, I mean completely, as far as I can tell. I deleted its file from my “Program Files” folder, uninstalled it (for some reason, the uninstall feature the virus gave me itself worked, go figure) removed it from programs, and was not in my list of services.
At the moment, I’m running Rootkit buster, it’s found a couple things so far. By the way, I tried renaming Malwarebytes a while ago, didn’t seem to help. The guy on BleepingComputer recommended it too.
Oh, also, under “Add Or Remove Programs,” I don’t get a change option. I get a remove option, but that’s it.
Bob,
I can believe it’s a Vundo variant. Just noticed today that I had a Spybot S&D (zipped) file named Virtumonde, which, when I researched it online, I learned is a variety of Vundo. So, I either had both it and PC Antispyware 2010 at the same time, or it helped to cause my PC-A 2010 infection. Nasty is definitely the word!
Yea…that’s crazy….you probably did have both. When I saw the initial alert that pc antispyware 2010 wanted to install, I knew already I had trouble. The problem for me was that I never actually installed it to be uninstalled and that threw me for a loop on getting rid of it. I had tried other things and deleted files manually but it had always partially managed to come back upon rebooting even after a system restore. The system restore did however let me back onto the internet. Well…I know there’s worse out there, but as far as annoying on a constant basis, this thing is far up on the list. I do not know how exactly I got it though and since my mom is on a work network someone else had gotten the same thing….so I’m not sure if there was some sort of random attack or something or someone else ran something they shouldn’t have ran. I did download what I thought was an e-book, but turned out not to be (so I deleted it after I unrared it but did not execute) I wonder if that matters…??? Can something run if you don’t double click it…..not sure. It seemed to happen near that time….adobe acrobat just went nuts opening a bunch of times, things started slowing down, then boom I rebooted cause it locked. Then when it came back on I had seem pc antispyware pop up and thought…oh man…I got a virus on here…..screwed!
Avira was no good….it eventually went bye bye…. it did detect things but never fixed the entire damage so I think it just replicated itself. NOD4 was automatically shut-off by the virus…and counterspy 3 worked once, then the trojan got wise and shut it down, then deleted it. The company had some old Mcafee on there….completely pointless.
As usual Malwarebytes would uninstall itself or become useless…Not sure what else I could have done, but here’s hoping everyone else has better luck then I did. Here’s also hoping no one gets it again! hehe! Peace….